Windows 8

Hitting Windows 8 reset button: Security bonus saves time and money

Dominic Vogel makes his pitch for the Windows 8 reset button from a security perspective.

The much ballyhooed Windows 8, Microsoft's latest release of its flagship product, will allow users to restore their Windows 8 PC to its pristine factory state through the push of a single button. There are two distinct restore types: reset and refresh. A reset will restore a Windows 8 PC to its original factory state, consequently removing any personal data, apps, and settings. A refresh will reinstall Windows 8, but preserves any documents, wireless network connections, BitLocker settings, drive letter assignments, personalization settings, and installed Metro apps. Any file-type associations, display settings, and Windows firewall settings will not be retained after a refresh.

The reset/refresh options are different than the current system restore process found in Windows 7/Vista/XP in that Windows is completely re-installed (the current system restore reverts back to a "last known good state" therefore, not all current system settings or files are retained). Additionally, the system restore files are not immune from becoming infected with malware. I assume cybercriminals are already looking for any weaknesses in the new reset/refresh process. The time required to perform a refresh is approximately eight minutes, and six minutes for a quick reset. A thorough reset takes 23 minutes. The thorough option overwrites any existing data visible to the operating system.

Good news for support pros

From a security perspective, the reset/refresh options provide a great method for quickly restoring malware infested computers to a "safe" state. Before security companies rush to play the antitrust card, they should realize that this capability complements itself nicely to any endpoint security software. The purpose of endpoint security software is to prevent any malicious software from being run or installed in the first place. However, as any IT professional can attest, having such software does not equate to complete immunity. Scareware, rootkits, keyloggers, trojans and other nefarious items can still make their way onto a computer. The reset/refresh option allows for a quick recovery when the security software "fails". The security industry has yet to prove that their products are able to fully cover the entire prevent/detect/recover/remediate cycle.

Depending on the industry, anywhere between 40%-70% of IT support (or help desk) employee time is spent removing viruses and malware from company computers. Generally speaking, the time required for someone to run an antimalware removal tool and conduct further troubleshooting (if needed for particularly troublesome malware) can easily exceed an hour. This leads to productivity loss and subsequent frustration. Countless hours are spent attempting to either remove all traces of the malware from the computer or completely wiping out the machine, re-imaging it from scratch, and installing the latest patches. On top of that, time is needed to re-install any applications, copy over any files, and restore usability settings. Pretty soon an entire afternoon (or morning) is lost. This is crucial time taken away from IT support (and the employee whose laptop was infected) when they could have been working on more strategic projects that actually provide value to the company. When scaled by organization size, the productivity loss grows exponentially. The time that is spent cleaning up viruses and malware costs the company money and negatively affects the bottom line.

In a time where companies are cash strapped and desperate to find cost savings, reducing the time devoted to recovering from malware infections to mere minutes, will lead not only to reduced costs, but will translate into a competitive advantage. Making use of the reset/refresh one-click option in Windows 8 is a no-brainer. The security industry would be foolish to view it any other way.

About

Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.

24 comments
Lost Cause?
Lost Cause?

I guess the first thing I would do is install a secondary hard drive. Then any programs I installed would be set to install to the secondary hard drive. This would help keep my data from being "Reset". Remember - If it's important - back it up to at least 3 places!

zynn
zynn

This is great for my home pc's. My kids are always messing up their computers and running to me. They know how to back up their data to an external drive and this gives them a way to go back fresh from the installs and toolbars that have junked up their computer. My daughter's first computer was a Patriot Barbie Computer and it had Go Back Technology. It was a godsend. The kids would play, the computer would mess up and I would reset it to 12/26/1999 and it was brandy new all over again. I like that this has the option to keep their "data" and how much faster it runs. It did not mention if it retains all updates run on the computer. Would I trust this with my data? Probably not if my data was very important. I would back up before using it. I work in a college and I do believe this would be helpful in our IT department for the faculty and staff that are not controlled with deepfreeze.

proctor.mark.a
proctor.mark.a

In a time where companies are cash strapped and desperate to find cost savings what justification do they have for switching to Windows 8 in the first place?

Freebird54
Freebird54

The main thing that struck me about this whole subject is that there appears to be no provision (still) for keeping your NON-Metro applications usable. Looks to me that the same old tired routine of locating install media for ALL your applications, and all their install codes, and any updates they've had in the meantime continues to be required. Presumably this will mitigated somewhat by switching everything you can to Metro apps - but can you actually do that? I have my doubts :) If they designed/enforced separate partitions for OS, apps and data then perhaps a truly useful reset/refresh might be doable. No - I won't mention where that sort of setup is likely to be found :) Just look closely before you push the button the first time!

Gisabun
Gisabun

If you buy a computer in the store or online [HP, Dell, etc.] they already had the socalled "reset" feature available for years. Dell stores it in a hidden partition. HP doesn't [which I always found dumb]. I'd assume Microsoft would include a mechanism if you are installing from scratch [i./e. you built your own or upgraded from an older OS]. Refresh may not be a great idea - depending on where the malware lies. If it backs up data and no settings then it wouldn't be a bad idea but it's usually in the registry where malware plays around.

fvazquez
fvazquez

Instead of wasting precious programming hours in the restoring Win8 to it's factory state, MS should spent more time making windows less dissaster prone, because this tells me that at some point MS knows Win8 is going to fail... I don't like this...

sbarsanescu
sbarsanescu

"Making use of the reset/refresh one-click option in Windows 8 is a no-brainer. The security industry would be foolish to view it any other way." So, rather than understand the cause, erase all and back to square one. And... what's going to stop the same issue from occuring again? This is the same black box approach that we see more and more of lately. This approach might work for the clueless user, but not so for an IT dept. The first thing we need to understand is what happened - and why. So that we can assess damage, fix the issue and implement the fix. From a forensics aspect, this is the absolute no-no. From an asset management perspective, this is a huge waste of time - better spend 4 hrs diagnosing the problem and implementing a fix to 1000 laptops than spending 6 mins times 300. Is IT really going there? I read this as - we don't care about data, all that matters is the OS and hardware. Come on guys, the real value is in the data, the content we create. The rest are tools. Valuable, but replaceable tools.

Michael Kassner
Michael Kassner

Where is the restore image saved? I betting it is on the same hard drive. If so, there is no guarantee that the malware will be removed. That becomes somewhat possible if the entire drive is re-imaged.

Al_nyc
Al_nyc

This sounds like a nice feature. It will save a lot of time. I'm super careful about what I click on and what gets installed on my machine and I have still managed to get infected with a virus on a couple of occasions. Each time I spent at least a day trying to fully recover. Cutting that to less than 10 minutes, plus the time to re-do some of my settings, is a big plus.

pgit
pgit

Of course we'll have to wait and see if there any unforeseen drawbacks to this. One thing I can think of off hand; typical users calling Dell or HP support might be told to run a reset out of hand, rather than try to understand the problem. I have had numerous customers that lost everything, all their data, by following the directions provided by big box support. None of them were told "back up your data first," just throw the disk in, or reboot to the recovery and go...

jtbrooks
jtbrooks

There are way too many questions behind a reset\refresh. What does factory state mean, my original corporate image or straight out of the box? Either way what happens to applications installed after ???factory state???? It keeps user account information but what about computer account information. Removing the machine from the domain removes access to domain accounts. What about updates\hotfixes? These are questions that I thought of just now. This sounds nice but so does vPro. How many companies will actually find this useful?

mike_patburgess
mike_patburgess

This could be a nice start. However, it would be very nice it they took a page from the mainframe OS's of old. I will not go into the design details of the mainframe OS but suffice to say any "program" could not crash the OS. The program or application had an address space that it had to execute it and if it tried to go outside that space, the OS crashed the program or app preserving the the integrity of the OS. The OS needs to be distinct and something that controls the applications and one where you cannot overwrite any aspect of the OS; in effect a read only OS something on an ASIC. Like I said, a very good start in an attempt to preserve the OS>>

tim_s_parker
tim_s_parker

First posting I have seen on Windows 8, I can not get my Windows 8 to connect to my network. I have a second workarea Window 7 and I can use the network finel.

denbo68
denbo68

This is nice but a solution such as the now extinct Steady State would be better. This allowed you to capture the state of a desktop and always keep it in that state. Even if the user made changes they would be removed on a reboot.

TCG Inc.
TCG Inc.

Most companies will not make the switch for many years to come. There are still quite a few that are using XP Pro, but as the lifecycle winds down for XP, they may be forced to move to a newer OS...and they might just skip Win7 altogether.

TCG Inc.
TCG Inc.

As long as ComboFix works on Win8, I'm good! :-)

JCitizen
JCitizen

that the 'cyber criminals' have already got a work around. They can put recovery files into drive sectors marked for bad; change the state of the bios to help subvert this process, and take over the drive controller by flashing it during a session. This is only a few of the tricks in the cracker tool kit.

jred
jred

I'd encrypt the install image, but that's just me, and I only spent 5 seconds thinking about it. I'm sure there's a really good reason why that wouldn't work.

gechurch
gechurch

It sounds to me like they're bringing back repair mode. With XP you could boot from the XP disk and choose to repair an existing installation. It kept all programs in tact,left updates on, left the machine on the domain, left data alone etc. It just replaced all the core OS files.

gechurch
gechurch

What you descirbe has been the case with the entire NT line of Windows (that is NT 3.1, 3.5, 4, Windows 2000, XP, Vista and 7). NT 3.1 came out in 1993, so it's actually almost two decades ago they made this change. There's a separation of the virtual address space (which is always 4GB on a 32 bit machine) - by default 2GB is assigned to kernel mode (where the core OS components and drivers live) and the other 2GB is used for user mode (where applications live). The address space for every program is separated, so it is impossible for one application to overwrite another programs memory, or to otherwise crash it. It is also impossible for anything in user mode to cause a stop error - they can only happen in kernel mode. If a stop error happens when you run a program, it means the program sent a request to kernel mode to do something (like access the hard drive for example), and it was that action down in kernel mode that actually caused the stop error.

JCitizen
JCitizen

that Steady State protected the MBR though. Today's threats know all the tricks. Last I checked, I seem to remember that there are a few attacks that can subvert Steady State, enough to control the session.

Gisabun
Gisabun

That's fine in a school or a kiosk but not at home or a regular business.

Editor's Picks